Hundreds of Dropbox credentials reportedly leaked online, company denies breach

Posted:
in General Discussion edited October 2014
A thread on Reddit late Monday linked to a cache of Dropbox usernames and corresponding passwords allegedly gleaned from a Dropbox breach, but the company maintains its servers were not infiltrated and instead placed blame on an unnamed third-party service.

Dropbox


Along with the approximately 400 usernames and passwords posted to Pastebin in plain text, hackers claimed to be in possession of access data for up to 7 million accounts taken directly from Dropbox servers, reports The Next Web.

In a statement issued on its official blog shortly after the leak, Dropbox denied the breach, saying user credentials were scraped from unrelated services and tested on numerous websites for compatibility.
Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Dropbox told the publication that it had previously detected the attacks, noting all passwords in the list are no longer in service, with a "vast majority" having been expired "for some time now."

For those who have not yet enabled two-step verification, Dropbox provides instructions on activating the security protocol built in to users' security settings. By turning on two-factor authentication, an account can only be accessed after entering in a six-digit time-sensitive code generated by specialized apps like Google Authenticator. Alternatively, the system can send out codes to a trusted device via text message.
«13

Comments

  • Reply 1 of 56
    solipsismxsolipsismx Posts: 19,566member
    Here is what 1Password has to say about it for those that still store your 1PDB in Dropbox.

    [LIST]
    [*] http://blog.agilebits.com/2014/01/12/dropbox-breach-hoax-1password-security-master-password/
    [/LIST]
  • Reply 2 of 56
    philboogiephilboogie Posts: 7,438member
    By my count that is the fourth time, in what, 2 years?
  • Reply 3 of 56
    solipsismxsolipsismx Posts: 19,566member
    philboogie wrote: »
    By my count that is the fourth time, in what, 2 years?

    This isn't a Dropbox breach so it shouldn't be added. That said, I really wish Dropbox would catch up to Google and Apple with the ability to create app/platform specific passwords that will only allow itself to be used in one place, never to access their website directly, as well allow the user to specify which folder(s) can be accessed with that password to help further isolate any potential data breaches.
  • Reply 4 of 56
    philboogiephilboogie Posts: 7,438member
    solipsismx wrote: »
    This isn't a Dropbox breach so it shouldn't be added. That said, I really wish Dropbox would catch up to Google and Apple with the ability to create app/platform specific passwords that will only allow itself to be used in one place, never to access their website directly, as well allow the user to specify which folder(s) can be accessed with that password to help further isolate any potential data breaches.

    While that's a valid point that is isn't their fault, to the end user it is, again, 'bad dropbox news; now I need to change my password again' situation. And simply changing your password doesn't automatically log you out on any device or browser that was already logged in.

    No, many things need to change at their end, your mention app/platform specific passwords being another one.
  • Reply 5 of 56
    solipsismxsolipsismx Posts: 19,566member
    philboogie wrote: »
    And simply changing your password doesn't automatically log you out on any device or browser that was already logged in.

    You can see which browsers and IP addresses have logged into Dropbox, as well Unlink any devices, but I don't think a password change is in order with this alleged breach.
  • Reply 6 of 56
    philboogiephilboogie Posts: 7,438member
    solipsismx wrote: »
    You can see which browsers and IP addresses have logged into Dropbox, as well Unlink any devices, but I don't think a password change is in order with this alleged breach.

    Indeed, but that's unlinking (not syncing anymore) but you cannot 'sign all browsers out' of Dropbox from their site, like you can with Apple.

    As for changing your password, if your account has indeed been accessed by someone else they already had the opportunity to download all data. Changing your password will only help to secure new (or changed) data.

    edit: I see they do have two-step verification, so that's good!
  • Reply 7 of 56
    @philboogie but it's the same with Apple's issues. To the end user, only the "big name" stays in memory. Hell, it's also the big name that makes the news, not "Operation Troll Security". People are people, and I guess that it's asking way too much to demand that non-tech people are tech-security savvy. That's what makes 1Passwd so valuable to people like my mum ^^
  • Reply 8 of 56
    philboogiephilboogie Posts: 7,438member
    ^ post

    Very true.
  • Reply 9 of 56
    There's a reason I've never trusted Dropbox.

    Thank goodness I've never had an account.
  • Reply 10 of 56
    I've stated this more than a few times, but in my experience with many clients and friends, the ability and freedom to create your own password should be taken away from most (all?) users.

    With that said... the next biggest problem is how to do password recovery (2FA but with randomized keys?)... and how to get people to use a password manager rather than just simply writing PW's down or worse, saving them in their email folders or notes online.

    I also think that Apple has a unique opportunity to make TouchID ubiquitous and to allow it to be used in replacement of 2FA and as a unique identifier. Plus I wholeheartedly want them to turn on 256bit*** encryption of iCloud accounts/backups... and force users to opt out through advanced settings.

    *** If technically feasible and only unlocked with the strong password, a random key sent to an authorized device, and TouchID... twice along the way.

    Basically:

    1) lock it all down... and with encryption;
    2) take the keys to unintelligible decisions away from the average non-tech person;
    3) rather than hasty decisions and jumping thru hoops in the set-up[S] faze[/S] phase (had a black out there), make the "lock down" decisions default... and advanced settings/opt outs later... with discouragement every step of the way.

    Security can no longer be left in the hands of the average user.

    NOTE: on Ars... it was reported in the comments that a number of passwords were of the simple "one word" variety that are easily brute-forced within minutes of access to a user-name. Also that many UID and PW combos were used across services, as well as across email accounts. Get the combo right, and use for many services across a users online presence.

    Edited: for momentary spelling black out... :rolleyes:
  • Reply 11 of 56
    There's a reason I've never trusted Dropbox.

    Thank goodness I've never had an account.

    It appears that most of the accounts were not hacked on DBs servers, but re-used UID and PW combos across different servers... that actually had been compromised.

    DB is an OK service, depending on what you use it for. I use it as a "project box" for clients... and clean it out as soon as a project is synced or downloaded.
  • Reply 12 of 56
    Quote:
    Originally Posted by ThePixelDoc View Post



    With that said... the next biggest problem is how to do password recovery (2FA but with randomized keys?)... and how to get people to use a password manager rather than just simply writing PW's down or worse, saving them in their email folders or notes online.





    NOTE: on Ars... it was reported in the comments that a number of passwords were of the simple "one word" variety that are easily brute-forced within minutes of access to a user-name. Also that many UID and PW combos were used across services, as well as across email accounts. Get the combo right, and use for many services across a users online presence.



    Edited: for momentary spelling black out... image

     

    Personally, I'd rather have them write them down if it means they'll use a longer, more complex one. Most of these people aren't having their passwords stolen locally, they're just too short to stand up to any reasonable BFA.

  • Reply 13 of 56
    MacProMacPro Posts: 18,155member
    While on the topic of Drop Box and cloud storage in general, I have a few words about iCloud Drive. I know Apple's iCloud Drive doesn't have the sharing feature and costs more but man is it simple and fast! Simple as in it's just another external drive on my Mac, 100% part of the Finder ... only it is on all my Macs .... Fast as in I have run HD video from it!

    I spent the weekend testing all the cloud services I could and iCloud Drive was far and away the fastest. Several less expensive systems were barely dial up speed. I was able to run Blackmagic Disk Speed Test on my iCloud Drive getting 240 MB/s in both read and write which blew my mind and this from a new Mac Pro on ethernet and a MBP via WiFi and a Time Capsule Router

    I wanted to test using it for running an Aperture Vault of >350 GIGs which is why I need a cloud storage system mainly. It is so fast one could run the actual Library! However, the transition to iCloud Drive from iCloud i.e. the 10.9-10.10 is still a work in progress and the upgrade to 500 GIGs doesn't apply to the iCloud Drive yet. Running Yosemite my System Preferences shows I have 500 GIGs yet I am only seeing 50 GIGs. I am guessing that 500 GIGs is currently applied to the Mavericks supported elements only at present. It will be interesting to see what happens once Yosemite is officially released hopefully this month. Will the dev version see the space available in the iCloud Drive when Apple flip a switch or only the release version I wonder?
  • Reply 14 of 56
    koopkoop Posts: 337member
    This is that moment I plug a Microsoft product on an Apple site, but Office 365 with One Drive is pretty fantastic, and most likely more secure than Dropbox which has a history of cloud security issues.

    Just my two cents, and you get 5 copies of office as well as office for iPad.
  • Reply 15 of 56
    MacProMacPro Posts: 18,155member
    Personally, I'd rather have them write them down if it means they'll use a longer, more complex one. Most of these people aren't having their passwords stolen locally, they're just too short to stand up to any reasonable BFA.

    I always use the Apple automatically suggested passwords these days, given Keychain works and syncs across all my devices it's a no brainer I am puzzled why more folks don't use it? Oh .. It isn't a Yosemite only feature is it? I don't think so, although to be honest I can't even remember Mavericks these days!
  • Reply 16 of 56
    MacProMacPro Posts: 18,155member
    koop wrote: »
    This is that moment I plug a Microsoft product on an Apple site, but Office 365 with One Drive is pretty fantastic, and most likely more secure than Dropbox which has a history of cloud security issues.

    Just my two cents, and you get 5 copies of office as well as office for iPad.

    That was a service i didn't test. Can you run a speed test on that? Or do you happen to know the read / write performance specs by any chance?
  • Reply 17 of 56
    While on the topic of Drop Box and cloud storage in general, I have a few words about iCloud Drive. I know Apple's iCloud Drive doesn't have the sharing feature and costs more but man is it simple and fast! Simple as in it's just another external drive on my Mac, 100% part of the Finder ... only it is on all my Macs .... Fast as in I have run HD video from it!

    I spent the weekend testing all the cloud services I could and iCloud Drive was far and away the fastest. Several less expensive systems were barely dial up speed. I was able to run Blackmagic Disk Speed Test on my iCloud Drive getting 240 MB/s in both read and write which blew my mind and this from a new Mac Pro on ethernet and a MBP via WiFi and a Time Capsule Router

    I wanted to test using it for running an Aperture Vault of >350 GIGs which is why I need a cloud storage system mainly. It is so fast one could run the actual Library! However, the transition to iCloud Drive from iCloud i.e. the 10.9-10.10 is still a work in progress and the upgrade to 500 GIGs doesn't apply to the iCloud Drive yet. Running Yosemite my System Preferences shows I have 500 GIGs yet I am only seeing 50 GIGs. I am guessing that 500 GIGs is currently applied to the Mavericks supported elements only at present. It will be interesting to see what happens once Yosemite is officially released hopefully this month. Will the dev version see the space available in the iCloud Drive when Apple flip a switch or only the release version I wonder?

    That's some serious speed(!) Is the iCloud drive encrypted? Can it be? Just curious. I'm using BitTorrent Sync to a secure non-local server that I own which I'm very happy with, but I would like to move a client or 2 to something like the iCloud Drive for ease of use.

    The encryption part would just buttress my rants I've had in front of clients about other alternatives... :smokey:
  • Reply 18 of 56
    Not sure how this happened, but somehow it has to be Apple's fault. Yeah, those 'hacked' credentials from iCloud were used to access Dropbox. There's no other possible explanation.
  • Reply 19 of 56
    MacProMacPro Posts: 18,155member
    That's some serious speed(!) Is the iCloud drive encrypted? Can it be? Just curious. I'm using BitTorrent Sync to a secure non-local server that I own which I'm very happy with, but I would like to move a client or 2 to something like the iCloud Drive for ease of use.

    The encryption part would just buttress my rants I've had in front of clients about other alternatives... :smokey:

    I doubt it is encrypted but you could easily do that yourself I assume just as you could to any other attached drive. Yes, I am still in shock it the speed of the beast. Hopefully it won't slow once the unwashed hordes have access ;) BTW you can drag a folder off the iCloud Drive onto an encryption app, I just tested with a simple hiding app called Ghost Sphere and it was able to hide the folder on the iCloud Drive, trivial I know but it shows it truly is very Finder compatible. Strangely I can't drag a self made folder into the Finder's side bar to alias for some reason, but I can add them to the dock which is cool. You can add an Apple provided folders, iWork folders for example, to the Finders side bar and dock.

    This is what I see in Sys Prefs ... Just wish I could access it!
    1000
  • Reply 20 of 56
    Quote:

    Originally Posted by koop View Post



    This is that moment I plug a Microsoft product on an Apple site, but Office 365 with One Drive is pretty fantastic, and most likely more secure than Dropbox which has a history of cloud security issues.



    Just my two cents, and you get 5 copies of office as well as office for iPad.

     

    I'm a big fan of Office 365. 5 accounts each with their own 1TB of storage for $99 a year.

     

    Oh, and they throw in a FULL version of Office as well (including Access).

Sign In or Register to comment.